Embodiments of the present invention generally relate to managing and securing data. More specifically, embodiments of the present invention relate to methods and systems for acquiring and reporting data related to compliance with a set of requirements for securing stored data.
Various types of financial transactions, including for example consumer purchases or payments made using credit cards, debit cards, checks, or other instruments other than cash, typically involve a number of different entities. For example, the primary parties to the transaction include the consumer and the merchant or other supplier of the goods or services being purchased or paid for. Also included is the financial institution issuing the instrument being used, often referred to as the issuing financial institution. An acquirer can act as an intermediary between the issuing financial institution and the merchant.
For example, a typical credit card transaction in which a consumer makes a purchase from a merchant using a credit card involves the following steps. First, the merchant calculates the amount of the transaction or purchase and seeks payment from the cardholder. The cardholder then presents the merchant with his/her credit card. The merchant then runs the credit card through a point of sale terminal. The point of sale terminal captures credit card and sales information and sends such information together with an authorization request to the acquirer. The acquirer, in turn, processes the information received from the point of sale terminal and forwards any relevant information and the authorization request to the issuing financial institution. The issuing financial institution processes the relevant information and the authorization request to determine whether the transaction should be authorized. The issuing financial institution then sends an approval or denial code back to the acquirer. The acquirer relays the approval or denial code to the point of sale terminal for use by the merchant. If the transaction is authorized, the cardholder is allowed to consummate the transaction with the merchant. Typically, at a later time, the accounts maintained by the issuer and the acquirer are settled and reconciled. The end result is that the issuer transfers the transaction amount minus a fee to the acquirer. The acquirer then deducts a fee from the amount received from the issuer. The remaining amount is then transferred by the acquirer to the merchant's account. The issuer also bills the cardholder for the transaction amount by sending the cardholder a credit card statement. The cardholder is typically billed by the issuer on a monthly cycle.
Thus, the information related to the transaction is processed and/or stored by a number of different entities including the merchant and the acquirer. In some cases, other parties, such as Third Party Providers (TPPs), Value-Added Resellers (VARs) and Independent Sales Organizations (ISOs), may also be involved in the transaction and/or process or maintain information related to the transaction. For example, third-party merchant services providers offer transaction processing services to a number of banks and/or acquirers. In addition to managing the processing and recording of card transactions, such a third-party provider also manages information regarding which card products and transaction types a particular one of its acquiring bank clients is allowed to accept, in addition to information about each merchant.
Various industry mandates require that any entity that processes, stores, or transmits cardholder data comply with requirements for properly securing this data. In some cases, fines or penalties may be imposed by various industry associations for failure to comply with the requirements. Currently, channels through which this information pass do not have a systematic way to capture, maintain and manage the status of compliance for merchants and/or other entities such as TPPs. For example, today the most accurate way to identify the TPP is to extract merchant information from incoming authorization messages submitted by the TPP. For merchant reporting and tracking the process is manual and typically tracked on excel spreadsheets. In addition, each channel can have a different system for managing and tracking merchant and TPP compliance. Thus, there is not only inconsistency in reporting methods, but there is no central database or system to create high-level reporting and monitoring to identify merchants or TPPs that are at high risk of non-compliance. Hence, there is a need in the art for improved methods and systems for acquiring and reporting data related to compliance with a set of requirements for securing stored data.